DNS paranoia

DNS Paranoia is a fake DNS server (dnsp.co) which debugs DNS behavior and detects DNS interference.

If you detect any DNS funny business happening, please let me know (with examples). I would love to name and shame.

How to use DNS Paranoia:

Queries sent to dnsp.co are answered with debugging information rather than the correct IP address. You talk to it via the DNS resolution utilities your operating system provides: typically "nslookup", "dig" or "host". (See: Finding your way around with DNS resolution tools)

Don't have dig? Download dig for windows here. (or if you don't trust my download, you can dig it out of the offical bind release)

dig any domain @dnsp.co

Resolving any name via the nameserver at @dnsp.co will give return a fixed response: If this doesn't appear - someone has altered it.

more about resolver→


"reflect.dnsp.co" will always return the IP address that made the request. If you ask it directly it should be your IP. If you ask it via another nameserver you will see the IP of that machine instead.

more about reflect→


Check it a few times. It should always be rising (until it wraps over from -> Isn't rising? Something must be cached along the way.

more about increment→

alternate ports

DNS usually works over UDP/53. We are also running our resolver on UDP/10053 so you can check for different responses.

more about alternate ports→


Time returns the time of day (in the server's timezone) that the request was made. 24 hour notation is used. (Also: time12.dnsp.co for 12 hour notation, date.dnsp.co for the date in yy.mm.dd.hh format)

more about time→


Loopback returns a time-based CNAME, which in turn resolves to localhost. This allows "ping" to quickly determine if a system is getting fresh DNS results.

more about loopback→

any string here.nx.dnsp.co

nx.dnsp.co and *.nx.dnsp.co return NXDOMAIN. Use to test if your ISP is providing overloaded NXDOMAIN landing pages for keyword based advertisement.

more about nx→


Sending a TXT request to raw.dnsp.co will return the raw bytes of the request (converted to hex) as a TXT record.

more about raw→


Returns a random IP address for each request. If you get the same answer back to back some device in between is caching.

more about random→

any string here.log.dnsp.co

Requests to any subdomain under *.log.dnsp.co will return a list of all the IP addresses that have asked to look up that same subdomain in the past.

more about log→


Returns a specific IP address. For instance, if you ask for "" you will get the result of "". Can be used if you suspect a specific IP address is being altered in transit.

more about spec→


Returns a specified number of results. A maximum of 255 IP addresses will be returned, but DNS size limitations may creep in.

more about count→


Returns a randomized CNAME record.

more about rndname→


fail.dnsp.co is NOT a nameserver. If you get a response from it, someone is intercepting and answering on its behalf.

more about fail→